single sign on for salesforce with citrix netscaler ... · pdf filecitrix.com 1 solution guide...

1Citrix.com

Solution Guide

Solution Guide

Single Sign On for SalesForce with Citrix NetScaler Unified Gateway

This guide focuses on defining the process for deploying NetScaler Unified Gateway as an IdP for SFDC (Salesforce.com).

2Citrix.com | Solution Guide | Single Sign On for SalesForce with Citrix NetScaler

Solution GuideSingle Sign On for SalesForce with Citrix NetScaler

Citrix NetScaler Unified Gateway provides users with secure remote access to business applications deployed in the data center or a cloud across a range of devices including laptops,desktops, thin clients, tablets and smart phones. It provides a consolidated infrastructure, simplifies IT and reduces TCO of the data center infrastructure.

NetScaler Unified Gateway’s SAML integration capabilities allow it to act as a SAML IDP (Identity Provider), enabling SalesForce users to log on to their enterprise SalesForce application portal through NetScaler, removing the need to configure an additional authentication source.

IntroductionThis guide describes successful integration for Citrix NetScaler Unified Gateway with Salesforce.com (SFDC)

SFDC is a leading cloud-based customer relationship management software which is widely used by SMBs and enterprise customers alike to enable their business without significant capital investments.This guide focuses on enabling SFDC single sign on with Citrix NetScaler.

Configuration

Successful integration of a NetScaler appliance with SFDC requires an appliance running NetScaler software release 11.1 or later, with an Enterprise or Platinum license.

NetScaler features to be enabled

The following feature must be enabled to use single sign-on with SFDC: SSLVPNThe SSLVPN feature is required for the use of Unified Gateway. It adds support for thecreation of SSL-based VPN virtual servers for secure enterprise application access.



Solution Description

Enabling SSO for SFDC with NetScaler consists of two parts – configuring the SFDC portal and the NetScaler ap-pliance. SFDC should be configured to use NetScaler as a third party SAML IDP (Identity Provider). The NetScaler is configured as a SAML IDP by creating the UG Virtual Server that will host the SAML IDP policy.

The following instructions assume that you have already created the appropriate external and/or internal DNS entries to route authentication requests to a NetScaler-monitored IP address, and that an SSL certificate has already been created and installed on the appliance for the SSL/HTTPS communication. This document also assumes that a SFDC account has been created, the relevant domain has been added and domain verification for the same has been completed.

Before proceeding, you should verify that you have the signing certificate that NetScaler will use to sign the as-sertion. To get the certificate from the NetScaler appliance, follow these steps:

• Log on to your NetScaler appliance, and then select the Configuration tab..• Select Traffic Management > SSL• On the right, under Tools, select Manage Certificates / Keys/ CSR’s

From the Manage Certificates window, browse to the certificate you will be using for your UG Virtual Server. Select the certificate and choose the Download button. Save the certificate to a location of your choice.



Part 1: Configure SFDC

To configure SFDC (also hereby referred to as Salesforce), login to your account with administrator credentials, then perform the following steps –

Note: This configuration has been performed with a Developer account on Salesforce. While the look and feel may differ slightly for enterprise accounts, the steps for configuration remain the same. Also note that to see specific settings such as the SAML Service Provider Initiated Request Binding, it is necessary that My Domain configuration be completed as described at https://help.salesforce.com/HTViewHelpDoc?id=domain_name_overview.htm 1. From Setup, enter Single Sign-On Settings in the Quick Find box, then select Single Sign-On Settings, and

click Edit. (alternatively, you can find these settings in the Security Controls section)2. Select SAML Enabled. You must enable SAML to view the SAML single sign-on settings.3. Specify the SAML version as 2.0.4. Click Save.5. In SAML Single Sign-On Settings, click the New button to create a new configuration.

6. Give this setting a Name (for example, NetScaler SAML is used here) for reference within your organization. Salesforce inserts the corresponding API Name value, which you can customize if necessary.

7. Enter the Issuer as https://nssaml.citrix.com/saml/login.8. For the Entity ID, enter https://<yourdomain>.my.salesforce.com 9. For the Identity Provider Certificate, use the Browse button to locate and upload the certificate that was

downloaded earlier from the NetScaler appliance.10. For the Request Signing Certificate, select the certificate you want from the ones saved in your Certificate

and Key Management settings.Note: You can create a self-signed certificate that Salesforce will use to sign requests in the Certificates and Key Management section, which can then be selected here. After the certificate is created, click on the certificate name to get more details and download the certificate. This certificate is essential and will be uploaded to the NetScaler. More information on this process is available at https://help.salesforce.com/htviewhelpdoc?err=1&id=security_keys_about.htm&siteLang=en_US



11. For the Request Signature Method, select the hashing algorithm for encrypted requests, either RSA-SHA1 or RSA-SHA256. (we have used SHA-1 for this test, make sure the setting in the NetScaler device matches this value)

12. Select Assertion Not Encrypted in the Assertion Decryption Certificate field. This field is available only if your organization supports multiple single sign-on configurations..

13. For the SAML Identity Type, select Assertion contains the Federation ID from the User object. Note: For each user requiring login to SFDC, the Federation ID (which should correspond to the email address specified in the user’s Active Directory profile) should be defined by navigating to Manage Users>Edit <user name> and then specifying the Federation ID under Single Sign On Information.14. For the SAML Identity Location, select Identity is in the NameIdentifier element of the Subject statement.15. For the Service Provider Initiated Request Binding, select HTTP POST.16. Enter the Identity Provider Login URL as https://<aaavserver domain name>/saml/login and Identity Pro-vider Logout URL as https://<aaavserver domain name>/cgi/tmlogout, respectively.Note: These fields appear in Developer Edition and sandbox organizations by default and in production organi-zations only if My Domain is enabled. The fields do not appear in trial organizations or sandboxes linked to trial organizations.17. Leave the Custom Error URL field blank. 18. Click SaveNote: Once this configuration is completed, go back to the Single sign-on settings page and click on the name of the SAML configuration created just now. Here, in the section titled endpoints, note the Salesforce Login URL. This will be of the form https://<yourdomain>.my.salesforce.com?so=<encoded value>. This value will be used as the assertion consumer service (ACS) URL when configuring NetScaler.



Part 2: Configure the NetScaler Appliance

The following configuration is required on the NetScaler appliance for it to be supported as a SAML identity provider for SFDC:• LDAP authentication policy and server for domain authentication• SSL certificate with external and internal DNS configured for the FQDN presented by the certificate (Wild-

card certificates are supported.)• SAML IDP policy and profile• UG virtual server

This guide covers the configuration described above. The SSL certificate and DNS configurations should be in place prior to setup.

Configuring LDAP domain authentication

For domain users to be able to log on to the NetScaler appliance by using their corporate email addresses, you must configure an LDAP authentication server and policy on the appliance and bind it to your UG VIP address. (Use of an existing LDAP configuration is also supported)

1. In the NetScaler configuration utility, in the navigation pane, select NetScaler Gateway > Policies > Authentication > LDAP.

2. To create a new LDAP policy: On the Policies tab click Add, and then enter GTM_LDAP_SSO_Policy as thename. In the Server field, click the ‘+’ icon to add a new server. The Authentication LDAP Server windowappears.• In the Name field, enter SFDC_LDAP_SSO_Server.• Select the bullet for Server IP. Enter the IP address of one of your Active Directory domain control-

lers. (You can also point to a virtual server IP for the purpose of redundancy if you are load balancingdomain controllers)

• Specify the port that the NetScaler will use to communicate with the domain controller. Use 389 forLDAP or 636 for Secure LDAP (LDAPS).

3. Under Connection Settings, enter the base domain name for the domain in which the user accounts residewithin the Active Directory (AD) for which you want to allow authentication. The example below usescn=Users,dc=ctxns,dc=net.

4. In the Administrator Bind DN field, add a domain account (using an email address for ease of configuration)that has rights to browse the AD tree. A service account is advisable, so that there will be no issues withlogins if the account that is configured has a password expiration.

5. Check the box for Bind DN Password and enter the password twice.



6. Under Other Settings: Enter samaccountname as the Server Logon Name Attribute.7. In the SSO Name Attribute field, enter UserPrincipalName. Enable the User Required and Referrals options.

Leave the other settings as they are.

8. Click on More at the bottom of the screen, then add mail as Attribute 1 in the Attribute Fields section. LeaveNested Group Extraction in the Disabled state (we are not going to be using this option for this deployment)

9. Click the Create button to complete the LDAP server settings.10. For the LDAP Policy Configuration, select the newly created LDAP server from the Server drop-down list,

and in the Expression field type ns_true.



Configure the SAML IDP Policy and Profile

For your users to receive the SAML token for logging on to SFDC, you must configure a SAML IDP policy and profile, and bind them to the UG virtual server to which the users send their credentials.Use the following procedure:1. Open the NetScaler Configuration Utility and navigate to NetScaler Gateway >

Policies > Authentication > SAML IDP2. On the Policies Tab, select the Add button.3. In the Create Authentication SAML IDP Policy Window, provide a name for your policy (for example – SFDC_

SSO_Policy).4. To the right of the Action field, click the ‘+’ icon to add a new action or profile.5. Provide a name (for example, SFDC_SSO_Profile).6. In the Assertion Consumer Service URL field, enter the URL obtained earlier during SFDC configuration

(https://<yourdomain>.my.salesforce.com?so=<encoded value>)7. In the SP Certificate Name, provide the name for the certificate that was downloaded from SFDC and added

to the NetScaler. In case you haven’t, you may do so here by clicking on the + button and providing thecertificate file and requisite information.

8. In the IDP Certificate Name field, browse to the certificate installed on the NetScaler that will be used to secure your UG authentication Virtual Server.

9. In the Issuer Name field enter https://<UG vserver FQDN>/saml/login10. Set the Encryption Algorithm to AES25611. Set the Service Provider ID field to https://<yourdomain>.my.salesforce.com.12. Set both the Signature and Digest algorithms to SHA-1.13. Set the SAML Binding to POST.



14. Click on More, then put https://<yourdomain>.my.salesforce.com in the Audience field.15. Set the Skew Time to an appropriate value. This is the time difference that will be tolerated between the

NetScaler appliance and the SFDC server for the validity of the SAML assertion.16. Set the Name ID Format to Unspecified, and put HTTP.REQ.USER.ATTRIBUTE(1) in the Name ID Expression

field. This directs NetScaler to provide the mail attribute attribute that was defined earlier during LDAPconfiguration as the user ID for SFDC.

17. Click Create to complete the SAML IDP profile configuration and return to the SAML IDP Policy creationwindow.

18. In the Expression field, add the following expression: HTTP.REQ.HEADER("Referer").CONTAINS("salesforce")19. Click Create to complete the SAML IDP Configuration.

To Configure your Unified Gateway (UG) Virtual Server

1. Select the Unified Gateway option in the Integrate with Citrix Products section on the

navigation panel to initiate the Unified Gateway Configuration Wizard.

2. First, provide an appropriate name , IP address and port for the UG virtual server.

3. In the next step, provide a server certificate (if it is already present on the NetScaler) or

install a new certificate that will be used as the server certificate for the UG virtual server.

4. Next, define the authentication mechanism to be used for the UG Virtual Server.

Note: In the Wizard, only the most common authentication mechanisms are configured. Select Active Directory/LDAP and add the LDAP server configured earlier.

5. Set the Portal Theme to Default (or a theme of your choice) and click on Continue.

6. In the Applications section, select the pencil shaped icon on the top right, then the plus-

shaped icon to add a new application. Select Web Application, then provide the ACS (Assertion Consumer Service) URL provided in the NetScaler SAML IDP policy earlier with an appropriate name.

7. Click on Done once the application has been added.

8. To add the SAML IDP policy to the Unified Gateway, navigate to the VPN Virtual Server

listing (NetScaler Gateway>Virtual Servers) to find the virtual server created using the wizard (named UG_VPN_<UG vserver name>). Choose the option for editing the virtual server, then add the SAML IDP policy created earlier in the Advanced Authentication section.



After completing the UG configuration above, this is how the Dashboard screen of the UG vserver will look:

Validate the configuration

Point your browser to https://<yourdomain>.my.salesforce.com. You should be redirected to the NetScaler UG logon form. Log in with user credentials that are valid for the NetScaler environment you just configured. Your SFDC profile should appear.

Additional NoteIf there are problems noted with login, they may be caused by SalesForce making a check for the InRespon-seTo parameter in the assertion. Although this is an SP (service provider) initiated setup and this parameter is necessary, SFDC seems to not accept it. To work around this anomalous behaviour, login to the NetScaler device, enter the shell prompt by typing shell at the initial prompt, move to the /netscaler folder and give the following command –nsapimgr_wr.sh -ys call=ns_saml_dont_send_in_response

This is how the error would be shown in SFDC’s SAML assertion validator -6. Miscellaneous format confirmations InResponseTo must be empty for Idp-init Browser POST Profile



Troubleshooting

To help with troubleshooting, here is the list of entries that should be in the ns.log file (located at /var/log on the NetScaler appliance) generated by a successful SAML login. Note that some of the entries such as encrypted hash values will vary. Please note that these logs are generic and the logs for SSLVPN will be similar. –

Jan 24 21:59:49 <local0.debug> 10.105.157.60 01/24/2016:21:59:49 GMT 0-PPE-0 : de-fault AAATM Message 4097 0 : "SAMLIDP: ParseAuthnReq: signature method seen is 4"Jan 24 21:59:49 <local0.debug> 10.105.157.60 01/24/2016:21:59:49 GMT 0-PPE-0 : de-fault AAATM Message 4098 0 : "SAMLIDP: ParseAuthnReq: digest method seen is SHA1"Jan 24 21:59:49 <local0.debug> 10.105.157.60 01/24/2016:21:59:49 GMT 0-PPE-0 : default AAATM Message 4099 0 : "SAML verify digest: digest algorithm SHA1, input for digest: <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://ctxnstest-dev-ed.my.SFDCtest.com?so=00D280000017RJa" Destination="https://nssaml.abc.com/saml/login" ID=" _ 2CAAAAVMF2dNRME8wMjgwMDAwMDA0Qzk3AAAAxmsWAke7ouLln-jaXRvQESM03 _ sXxdORaoCaR-GabpLrqsZjb _ eoAsZKfpXgnuLPpb8uRkVWNvhAa2ni2xVF7AQ1kij21CA6 _ JNaLgtvPIAV6jh-WMUIl-rje3Pq _ _ dW0nFqRzsl96yv766q7aa5bvd02rdqvTpQz38jWz-oOnsnQh5sa7L9EyhH-hDpAUrl1VXbyPnmZFlUakABTLWClT _ qXZyN3J3xhSaYnLc7-YiBD8VrsehWUyP0dp7Qoeu5RVkwQ" IssueInstant="2016-01-24T22:01:15.269Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://ctxnstest-dev-ed.my.SFDCtest.com</saml:Issuer></samlp:AuthnRequest>"Jan 24 21:59:49 <local0.debug> 10.105.157.60 01/24/2016:21:59:49 GMT 0-PPE-0 : default AAATM Message 4100 0 : "SAML signature validation: algorithm is RSA-SHA1 input buffer is: <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmld-sig#"> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod> <ds:Reference URI="# _ 2CAAAAVMF2dNRME8wMjgwMDAwMDA0Qzk3AAAAxmsWAke7ouLln-jaXRvQESM03 _ sXxdORaoCaR-GabpLrqsZjb _ eoAsZKfpXgnuLPpb8uRkVWNvhAa2ni2xVF7AQ1kij21CA6 _ JNaLgtvPIAV6jh-WMUIl-rje3Pq _ _ dW0nFqRzsl96yv766q7aa5bvd02rdqvTpQz38jWz-oOnsnQh5sa7L9EyhH-hDpAUrl1VXbyPnmZFlUakABTLWClT _ qXZyN3J3xhSaYnLc7-YiBD8VrsehWUyP0dp7Qoeu5RVkwQ"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml samlp"></ec:InclusiveNaJan 24 21:59:50 <local0.debug> 10.105.157.60 01/24/2016:21:59:50 GMT 0-PPE-0 : default SSLLOG SSL _ HANDSHAKE _ SUCCESS 4101 0 : SPCBId 936 - ClientIP 116.202.102.156 - ClientPort 60823 - VserverServiceIP 10.105.157.62 - VserverSer-vicePort 443 - ClientVersion TLSv1.0 - CipherSuite "AES-256-CBC-SHA TLSv1 Non-Export 256-bit" - Session Reuse

Jan 24 22:00:05 <local0.info> 10.105.157.60 01/24/2016:22:00:05 GMT 0-PPE-0 : de-fault AAA Message 4106 0 : "In update _ aaa _ cntr: Succeeded policy for user u3test = ldap2"



Jan 24 22:00:05 <local0.debug> 10.105.157.60 01/24/2016:22:00:05 GMT 0-PPE-0 : de-fault AAATM Message 4107 0 : "extracted SSOusername: [email protected] for user u3test"Jan 24 22:00:05 <local0.debug> 10.105.157.60 01/24/2016:22:00:05 GMT 0-PPE-0 : de-fault SSLVPN Message 4108 0 : "sslvpn _ extract _ attributes _ from _ resp: at-tributes copied so far are [email protected] "Jan 24 22:00:05 <local0.debug> 10.105.157.60 01/24/2016:22:00:05 GMT 0-PPE-0 : de-fault SSLVPN Message 4109 0 : "sslvpn _ extract _ attributes _ from _ resp: total len copied 21, mask 0x1 "Jan 24 22:00:05 <local0.debug> 10.105.157.60 01/24/2016:22:00:05 GMT 0-PPE-0 : default AAATM Message 4110 0 : "SAMLIDP: Checking whether current flow is SAML IdP flow, input U0ZEQ19TU09fUHJvZmlsZQBJRD1fMkNBQUFBVk1GMmROUk1FO-HdNamd3TURBd01EQTBRemszQUFBQXhtc1dBa2U3b3VMbG4tamFYUnZRRVNNMDNfc1h4ZE9SY-W9DYVJHYWJwTHJxc1pqYl9lb0FzWktmcFhnbnVMUHBiOHVSa1ZXTnZoQWEybmkyeFZGN0FRMWtpa-jIxQ0E2X0pOYUxndHZQSUFWNmpoV01VSWwtcmplM1BxX19kVzBuRnFSenNsOTZ5djc2NnE3YWE1Yn-ZkMDJyZHF2VHBRejM4ald6LW9PbnNuUWg1c2E3TDlFeWhIaERwQVVybDFWWGJ5UG5tWkZsVWFrQU-JUTFdDbFRfcVhaeU4zSjN4aFNhWW5MYzctWWlCRDhWcnNlaFdVeVAwZHA3UW9ldTVSVmt3USZiaW5k-PXBvc3QmLw=="Jan 24 22:00:05 <local0.info> 10.105.157.60 01/24/2016:22:00:05 GMT 0-PPE-0 : de-fault AAA EXTRACTED _ GROUPS 4111 0 : Extracted _ groups "LyncDL,TestDL-LYnc"Jan 24 22:00:05 <local0.info> 10.105.157.60 01/24/2016:22:00:05 GMT 0-PPE-0 : default AAATM LOGIN 4112 0 : Context [email protected] - SessionId: 28- User u3test - Client _ ip 116.202.102.156 - Nat _ ip "Mapped Ip" - Vserver 10.105.157.62:443 - Browser _ type "Mozilla/5.0 (Windows NT 10.0; WOW64; Tri-dent/7.0; rv:11.0) like Gecko" - Group(s) "N/A"Jan 24 22:00:05 <local0.debug> 10.105.157.60 01/24/2016:22:00:05 GMT 0-PPE-0 : default AAATM Message 4113 0 : "SAMLIDP: Checking whether current flow is SAML IdP flow, input U0ZEQ19TU09fUHJvZmlsZQBJRD1fMkNBQUFBVk1GMmROUk1FO-HdNamd3TURBd01EQTBRemszQUFBQXhtc1dBa2U3b3VMbG4tamFYUnZRRVNNMDNfc1h4ZE9SY-W9DYVJHYWJwTHJxc1pqYl9lb0FzWktmcFhnbnVMUHBiOHVSa1ZXTnZoQWEybmkyeFZGN0FRMWtpa-jIxQ0E2X0pOYUxndHZQSUFWNmpoV01VSWwtcmplM1BxX19kVzBuRnFSenNsOTZ5djc2NnE3YWE1Yn-ZkMDJyZHF2VHBRejM4ald6LW9PbnNuUWg1c2E3TDlFeWhIaERwQVVybDFWWGJ5UG5tWkZsVWFrQU-JUTFdDbFRfcVhaeU4zSjN4aFNhWW5MYzctWWlCRDhWcnNlaFdVeVAwZHA3UW9ldTVSVmt3USZiaW5k-PXBvc3QmLw=="Jan 24 22:00:05 <local0.debug> 10.105.157.60 01/24/2016:22:00:05 GMT 0-PPE-0 : default SSLVPN Message 4114 0 : "UnifiedGateway: SSOID update skipped due to StepUp or LoginOnce OFF, user: u3test"

Jan 24 22:00:05 <local0.debug> 10.105.157.60 01/24/2016:22:00:05 GMT 0-PPE-0 : default AAATM Message 4115 0 : "SAML: SendAssertion: Response tag is <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://ctxnstest-dev-ed.my.SFDCtest.com?so=00D280000017RJa" ID=" _ c270d0f96123132442d36933c567946d" IssueInstant="2016-01-24T22:00:05Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://nssaml.abc.com/saml/login</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode></samlp:Status>"



Jan 24 22:00:05 <local0.debug> 10.105.157.60 01/24/2016:22:00:05 GMT 0-PPE-0 : default AAATM Message 4116 0 : "SAML: SendAssertion: Asser-tion tag is <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID=" _ c270d0f96123132442d36933c567946" IssueInstant="2016-01-24T22:00:05Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://nssaml.abc.com/saml/login</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">[email protected]</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2016-01-24T22:15:05Z" Recipient="https://ctxnstest-dev-ed.my.SFDCtest.com?so=00D280000017RJa"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2016-01-24T21:45:05Z" NotOnOrAfter="2016-01-24T22:15:05Z"><saml:AudienceRestriction><saml:Audience>https://ctxnstest-dev-ed.my.SFDCtest.com</saml:Audience></saml:AudienceRestriction></saml:ConditionJan 24 22:00:05 <local0.debug> 10.105.157.60 01/24/2016:22:00:05 GMT 0-PPE-0 : default AAATM Message 4117 0 : "SAML: SendAssertion, Digest Meth-od SHA1, SignedInfo used for digest is <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="# _ c270d0f96123132442d36933c567946"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>LrFDglgJA/29P9jWElMXnbynS48=</ds:DigestValue></ds:Reference></ds:SignedInfo>"Jan 24 22:00:05 <local0.debug> 10.105.157.60 01/24/2016:22:00:05 GMT 0-PPE-0 : default AAATM Message 4118 0 : "SAML: SendAssertion, Signature element is <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="# _ c270d0f96123132442d36933c567946"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signa-ture"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>LrFDglgJA/29P9jWElMXnbynS48=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>HU1oBZCHXn7L2/qKT2LzwD13QvlONjsapEBkXlQNbwG83VC61UdTnDFWmn+9RP5QmZt60TvbfCaVx2vVuMzDFi82oO9Rvw3N4TQjnSlFatg3JKDHuOEUfi4pBxJr



Conclusion

NetScaler Unified Gateway provides a secure and seamless experience with SFDC by enabling single sign-on into SFDC accounts, avoiding the need for users to remember multiple passwords and user IDs, while reducing the administrative overhead involved in maintaining these deployments.

Enterprise SalesNorth America | 800-424-8749 Worldwide | +1 408-790-8000

LocationsCorporate Headquarters | 851 Cypress Creek Road Fort Lauderdale, FL 33309 United States Silicon Valley | 4988 Great America Parkway Santa Clara, CA 95054 United States

Copyright© 2016 Inc. All rights reserved. Citrix, the Citrix logo, and other marks appearing herein are property of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered with the U.S. Patent and Trademark Office and in other countries. All other marks are the property of their respective owner/s.

single sign on for salesforce with citrix netscaler ... · pdf filecitrix.com 1 solution guide...

Documents